[cisco-voip] wireless phones

[Mike King]

Yes.  You need a Locally trusted certifcate on your IAS server (If you
have a choice, use NPS (NPS is IAS 2008) as it is much more
intelligent on the policies.)

Now, for the security conscious,  you *should* enable certificate
verification.  This would require loading the CA Certificate onto the
phone (easily done with the USB cable).  NOTE, you can use Selfsigned
CA's, or TRUSTED CA's (like Verisign), but unless you enable
certificate verification, the phone will implicately trust ANY
certificate, even if it's been spoofed.

Certificate Verification means that if the RADIUS server presents a
certificate to trust, it will only trust Certs signed by the CA loaded
on the phone.  (Look up Man in the Middle 802.1x attacks.  This URL
http://www.cwnp.com/index/cwnp_wifi_blog/8752 has a good explanation
of the settings on a Windows XP client, and should make it clear why
this is a *Good Idea*)

Here's my complete 7925 setup directions (well, cut and paste from a
word document with pictures. This is from the standpoint of the USB
Web Connection)
We run a user account for each phone, so that if a phone needs to be
disabled, it only affects a single phone.

1.	Click  on Setup - > Certificates
2.	Click Install on Authentication Server CA
3.	Upload the SelfSigned-CA certificate (DER encoded)
4.	Phone will prompt to restart, do so
5.	Relogin to phone
6.	Click on NETWORK PROFILES
7.	Click on Profile 1
8.	Set the Following:
a.	Profile Name: YourWireless
b.	SSID : YourSSID
c.	Security Mode: PEAP
d.	Username (Phone’s username)
e.	Password (Phone’s Password)
f.	Validate Server Certificate


On Fri, Aug 27, 2010 at 5:04 PM, Jeff Mottishaw <mottie at gmail.com> wrote:
> The Device Defaults on our cluster are set to CP7921G-1.3.4SR1 but of course
> the phone that I'm testing with was manually set to 1.3.3. That's a good
> step one.
>
> So with PEAP-TLS we would need a certificate on both the phone and the IAS
> server, with MSCHAPV2 would we only need it on the IAS server?
>
> Thanks!
>
> Jeff
>
> On Fri, Aug 27, 2010 at 10:22 AM, Mike King <me at mpking.com> wrote:
>>
>> Jeff,
>>
>> Have you considered just making another SSID, using WPA2-PSK, or WPA2
>> PEAP-MSCHAPV2?
>>
>> I initially had my phones on the same SSID as my users, but because we
>> need to require load balancing on our user wlan, I had to switch them
>> to another SSID with Loadbalancing disabled.
>>
>> You will need a useraccount in your domain for PEAP-TLS or
>> PEAP-MSCHAPV2.  I just see the MSCHAPV2 as the easiest method.
>>
>> Also, I'd suggest going to 1.3.4b  (I think it's b, it's the latest)
>> as it has support for more EAP types.(Versus older firmwares, I know
>> 1.3.3 has them, but it was "broken")
>>
>> Mike
>>
>>
>> On Fri, Aug 27, 2010 at 12:38 PM, Jeff Mottishaw <mottie at gmail.com> wrote:
>> > I am in the process of migrating all of our users/laptops to a
>> > PEAP-TLS wireless configuration using Server 2008 Active Directory
>> > Certificate Services. That's all well and fine but now I'm a bit
>> > stumped:
>> >
>> > We have a number of 7921 phones and all the documentation I am coming
>> > across for setting them up with certificates talks about using Cisco
>> > ACS (which I don't have). Has anyone on this list used AD to store the
>> > certificates? I have been searching but there doesn't seem like there
>> > is a lot of information out there.
>> >
>> > I'm wondering if I need to make users/computers for the phones or how
>> > that works. I assume I need to make a certificate template for them
>> > and manually associate it, but I want to be sure before I go ahead
>> > with anything.
>> >
>> > Thanks in advance.
>> >
>> > Jeff
>> > _______________________________________________
>> > cisco-voip mailing list
>> > cisco-voip at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-voip
>> >
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>